diff --git a/build.gradle.kts b/build.gradle.kts
index 8faa5f8..3a949fb 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -8,6 +8,7 @@ plugins {
 
 dependencies {
     implementation(hlaeja.jjwt.api)
+    implementation(hlaeja.kotlin.logging)
     implementation(hlaeja.kotlin.reflect)
     implementation(hlaeja.kotlinx.coroutines)
     implementation(hlaeja.org.springframework.springboot.actuator.starter)
diff --git a/src/main/kotlin/ltd/hlaeja/service/JwtService.kt b/src/main/kotlin/ltd/hlaeja/service/JwtService.kt
new file mode 100644
index 0000000..c426614
--- /dev/null
+++ b/src/main/kotlin/ltd/hlaeja/service/JwtService.kt
@@ -0,0 +1,27 @@
+package ltd.hlaeja.service
+
+import io.jsonwebtoken.JwtParser
+import io.jsonwebtoken.Jwts
+import java.util.UUID
+import ltd.hlaeja.property.JwtProperty
+import ltd.hlaeja.util.PublicKeyProvider
+import mu.KotlinLogging
+import org.springframework.stereotype.Service
+
+private val log = KotlinLogging.logger {}
+
+@Service
+class JwtService(
+    jwtProperty: JwtProperty,
+) {
+
+    private val parser: JwtParser = Jwts.parser()
+        .verifyWith(PublicKeyProvider.load(jwtProperty.publicKey))
+        .build()
+
+    suspend fun readIdentity(
+        identity: String,
+    ): UUID = parser.parseSignedClaims(identity)
+        .let { UUID.fromString(it.payload["device"] as String) }
+        .also { log.debug("Identified client device: {}", it) }
+}